I've audited the Android kernel in late 2023, and reported 10+ kernel bugs to Google, along with 2 exploits. Today, I'm releasing the first exploit, targeting the Mali GPU on Pixel devices, accessible from an untrusted_app context.

I'm sharing two other iOS kernel vulnerabilities reachable from the default app sandbox that don’t require you to open a UserClient: .

CVE-2022-32932 is another vulnerability I discovered in the ANE kernel interface; this is a double fetch issue that resulted in an interesting OOB write.

My #POC2022 slides + the iOS kernel r/w exploit can be found here :) .Thanks @POC_Crew for a fantastic conference and truly honored to have been part of it.

+16 kernel bugs I reported to Apple have been fixed in iOS 16/16.1. I'll give a talk on how I chained some bugs to achieve kernel r/w at #POC2022 next month, and the kernel exploit for iOS 15 will be released along with a some other high impact vulns after the conference.

My favorite IDA 8.0 feature so far: artificial Obj-C method imports

In iOS 15.5 beta 3, Apple removed IOMallocAligned(KHEAP_DEFAULT,. ) from IOSharedDataQueue/IODataQueue::initWithCapacity() ( now uses kernel_memory_allocate() with KMA_DATA flag). It was an elegant technique to groom the kernel default heap with user controlled data. RIP.

And if you lean more toward IDA, you can also import the C header from Ghidra and parse it there :-)

I’ve updated ghidra_kernelcache! now it’s compatible with Ghidra 10.1+, macOS KEXT/Kernelcache support, PAC Xrefs, better class definition with custom class construction feature, dwarf4 and more . check it out.

Looks like Ghidra does not support LC_DYLD_CHAINED_FIXUPS for macOS M1 KEXTs, here is a dirty script to fix it .

I've updated oob_events exploit and it should work fine in on A12+ devices (with 60 % of success rate) and ~95% in devices with lower ram size i.e A10. Tested on iPhone 11 and iPhone 7.

The exploit in arm64e is not quite reliable unlike iPhone 9,3 (which works 9/10 times), expect a lot of kernel panics, it needs some work and it’s hard to make such exploit generic and working across all devices.

I dont recommend using it in your personal device or to use it for a jailbreak. it may leave your device in unstable state. You’ve been warned.

Here is a PoC kernel exploit, it demonstrates how to get kernel task port on iOS 13.7. I will update the PoC with a writeup later.

I've checked iOS 14.1 shipped with IOGPU Family (the successor of IOAcceleratorFamily) and didn't find a matching pattern to trigger the bug, so it works only on iOS 13.x and all devices using IOAcceleratorFamily i.e: macOS.

PoC for iOS kernel bug reachable from within the sandbox, I may drop the exploit later .

ghidra_kernelcache: a Ghidra iOS kernelcache framework for reverse engineering.

iOS 13.6 forced me to rewrite the exploit from scratch.